Canadian Underwriter

First five months of 2016 dominated by malicious email campaigns of unprecedented volume, new ransomware variants

July 26, 2016   by Canadian Underwriter

Print this page Share

The first five months of 2016 were dominated by malicious email campaigns of unprecedented volume, with new ransomware variants emerging quickly and actors “repeatedly [shifting] tactics with new loaders, document attachment types and obfuscation techniques to evade detection,” according to cybersecurity company Proofpoint, Inc.

ransomware eye looks at viewer conceptThe Proofpoint Quarterly Threat Summary, released on Tuesday, said that JavaScript attachments led an explosion of malicious message volume – 230% quarter over quarter. “Many Locky and Dridex actors turned to JavaScript files attached to email messages to install payloads,” the report said. “These attacks were among the largest campaigns we have ever observed, peaking at hundreds of millions of messages a day.”

Among email attacks that used malicious document attachments, 69% featured the new Locky ransomware in Q2, versus 24% in Q1. “That surge propelled Locky into the top spot for email-based malware, displacing Dridex,” the report said, adding that CryptXXX appeared on the scene in Q2 and quickly dominated the EK (exploit kit) landscape. Among the top 10 malicious email observed in Q2, the Locky strain accounted for 41% of all payloads, nearly doubling its share in the top 10 email-based threats.

Overall, the number of new ransomware variants (most distributed by EKs) grew by a factor of five to six since the fourth quarter of 2015. Researchers also observed multiple payloads being distributed in a single campaign, highly personalized large-scale attacks, rotating and geo-targeted lure documents; and a “crossover” campaign that attached malware to credential phishing. “In short, threat actors are using a wide variety of techniques to expand attack surfaces and capitalize on clicks in socially engineered attacks,” the report said.

Other findings of the report included:

  • Business email compromise (BEC) attempts were surprisingly common, with 80% of a representative sample of Proofpoint customers experiencing at least one BEC phishing attack in the last month. Attackers also changed lures based on seasonal events such as tax reporting and varied their approaches to increase the effectiveness and scale of the attacks;
  • EK traffic observed by Proofpoint dropped by 96% between April and mid-June. The Necurs botnet went offline in June, silencing the massive Locky and Dridex campaigns that defined the first half of 2016. Traffic from the Angler EK had completely disappeared by early June, shortly after the Nuclear EK had shuttered operations. That left Neutrino as the top EK by the end of June;
  • 98% of mobile malware is still associated with the Android platform. “This proportion is holding steady,” the report said;
  • As many as 10 million Android devices were compromised by exploit kits. The EKs targeted multiple vulnerabilities that let attackers take control of the devices. In most cases, this control was used to download adware that generated profits for threat actors; and
  • Social media phishing attempts rose by 150%. Organizations continued to cope with spam, adult content and other issues that overwhelmed their ability to resolve the issues manually.

“Q2 2016 cybersecurity threats were categorized by high volumes, amplified variation and sudden silence, which didn’t last long,” said Patrick Wheeler, director of threat intelligence for Proofpoint. “After dominating the malware landscape for 15 months, Dridex was officially dethroned as the top malicious email attachment security threat. Locky ransomware took the top spot, driven by a 5-6 factor jump in ransomware variants since Q4 2015. JavaScript attachments also increased more than 200% and approximately 80% of our customers were attacked by at least one business email compromise attack.”